US Data Breach Notification Laws

US data breach notification laws establish the legal obligations that require organizations to inform affected individuals, regulators, and in some cases the public when unauthorized access to personal information occurs. The framework is fragmented across 50 state statutes, multiple federal sector-specific regulations, and agency enforcement guidance — with no single omnibus federal law governing all industries. Understanding where these obligations originate, how they interact, and where jurisdictional lines fall is essential for any organization that collects, stores, or processes personal data in the United States.

Definition and scope

A data breach notification obligation is triggered when an unauthorized party acquires — or is reasonably believed to have acquired — personal information in a form that could enable identity theft, fraud, or related harm. All 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted breach notification statutes (NCSL State Security Breach Notification Laws), making breach notification a universal domestic requirement even in the absence of federal uniformity.

"Personal information" is defined differently across jurisdictions, but the baseline across most statutes covers the combination of a person's name with at least one of the following: Social Security number, driver's license or state ID number, financial account number with access credentials, or medical record identifiers. California's California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), extend coverage to a broader category of sensitive personal information, including biometric data and precise geolocation.

At the federal level, sector-specific statutes define their own breach notification frameworks. The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule (45 CFR §§ 164.400–414) governs covered healthcare entities and business associates. The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, administered by the Federal Trade Commission, governs financial institutions not covered by banking-specific rules. The Federal Communications Commission (FCC) enforces separate rules for telecommunications carriers.

The scope of cyber compliance standards applicable to breach notification spans both the technical controls that prevent breaches and the procedural requirements that govern disclosure once a breach is identified.

How it works

Notification obligations follow a structured sequence from discovery to disclosure. The process, as codified across HIPAA, state statutes, and FTC guidance, typically proceeds through these phases:

  1. Discovery — The covered entity or business associate identifies a security incident involving personal information. The clock on notification deadlines begins at discovery, not at the moment the breach actually occurred.
  2. Risk assessment — The organization evaluates whether the incident meets the legal threshold for a reportable breach. HIPAA uses a four-factor risk assessment to determine whether there is a low probability that protected health information was compromised (HHS Breach Notification Rule guidance). Most state statutes apply a harm-based threshold tied to likelihood of misuse.
  3. Notification to individuals — Written notice must be sent to affected individuals. HIPAA requires notification within 60 calendar days of discovery for covered entities. State statutes impose timelines ranging from 30 days (Florida, under Florida Statute § 501.171) to a vaguer "expedient" or "reasonable" timeframe in older statutes.
  4. Notification to regulators — HIPAA mandates reporting to the U.S. Department of Health and Human Services (HHS). Breaches affecting 500 or more individuals in a state must be reported simultaneously with individual notices; breaches below 500 individuals may be logged and reported annually. State attorneys general and, in some sectors, federal agencies (FTC, FCC, banking regulators) receive separate notices.
  5. Media notification — Under HIPAA, breaches affecting more than 500 residents of a single state or jurisdiction require notice to prominent media outlets in that state (45 CFR § 164.406).

The cyber compliance code of conduct for organizations managing personal data typically incorporates notification timelines as a core operational benchmark.

Common scenarios

Healthcare sector breach — A hospital experiences ransomware that encrypts patient records. Under HIPAA, this triggers a breach presumption unless the entity can demonstrate through a risk assessment that protected health information was not accessed. The hospital must notify affected patients, HHS, and local media (if more than 500 patients in a state are affected) within 60 days.

Financial institution data exposure — A bank's third-party vendor inadvertently exposes checking account numbers online. The FTC Safeguards Rule (effective in its amended form as of June 2023, per 16 CFR Part 314) requires notification to the FTC within 30 days when a breach affects 500 or more customers. State banking regulators may impose parallel obligations.

Retail data breach across multiple states — A retailer operating nationally suffers a point-of-sale system intrusion affecting customers in 35 states. The organization must comply with the notification laws of each state in which affected residents reside — meaning up to 35 distinct notice templates, timelines, and regulatory contacts.

Employee records compromise — An HR database containing Social Security numbers of current and former employees is accessed by an unauthorized party. Most state statutes treat employee data identically to customer data for notification purposes.

Decision boundaries

The key compliance question in any breach scenario is whether the incident triggers a mandatory notification obligation or falls within a statutory exception. Three primary decision boundaries govern this determination:

Encrypted data exception — The majority of state statutes and HIPAA exclude breaches of properly encrypted data from notification requirements, provided encryption keys were not also compromised. Organizations that maintain NIST-compliant encryption standards (NIST SP 800-111 for storage encryption) can invoke this exclusion.

Harm threshold — A minority of statutes require notification only when the breach creates a material risk of harm to the affected individual. California, under California Civil Code § 1798.29 and § 1798.82, applies a risk-of-harm filter. Most states have moved toward mandatory notification regardless of demonstrated harm.

Jurisdiction of residence vs. jurisdiction of business — Notification obligations attach to the state of residence of the affected individual, not the state in which the organization is incorporated or headquartered. An organization headquartered in Delaware that holds data on California residents must comply with California's statute for those individuals.

The interaction between federal sector-specific rules and state laws follows a preemption analysis: HIPAA preempts state laws only when the state law is less protective; more stringent state laws survive and apply concurrently (45 CFR § 160.203). GLBA preemption operates similarly under 15 U.S.C. § 6807.

📜 8 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Cyber Compliance: Standards Overview ANA › Professional Services Authority › Cyber Compliance Authority › Cyber Compliance: Standards Overview Cyber Compliance:... Cyber Compliance: Code Of Conduct ANA › Professional Services Authority › Cyber Compliance Authority › Cyber Compliance: Code Of Conduct Cyber Compliance: Code... Cybersecurity Incident Reporting Requirements ANA › Professional Services Authority › Cyber Compliance Authority › Cybersecurity Incident Reporting Requirements...